“The Android Security Bulletin contains details of security vulnerabilities affecting Android devices. Alongside the bulletin, we have released a security update to Google devices through an over-the-air (OTA) update.”

This bulletin includes an Android patch for the Dirty COW vulnerability (CVE-2016-5195). Great news for owners of Pixel and Nexus devices, but what about everybody else? There’s no telling how long it might take for a fix to filter down to devices manufactured by other vendors. In a blog post, Mobile Security Analyst Sergi Àlvarez I Capilla explains the update and the dangers of Dirty COW and also demonstrates in a video that the vulnerability can be exploited even on non-rooted devices.

“All mobile devices — smartphones, tablets, wearable tech — are targets, but Android, the phone OS reportedly used by the president-elect, has some serious security issues, mainly those allowing for ‘escalation of privilege’ attacks.”

“Application developers for Apple’s iOS platform are running against an end-of-the-year deadline to encrypt all communications to and from iOS apps using the platform’s encryption standard, known as App Transport Security or ATS”

During a panel discussion in August about 2016 trends in Android and iOS security, Director of Research David Weinstein reported that 80 percent of the top 50 free iOS apps he analyzed opted out of App Transport Security (ATS) via the NSAllowsArbitraryLoads flag. The January 1, 2017 App Transport Security (ATS) deadline is Apple’s attempt to enforce some minimum level of secure communications between iOS apps and back-end services via HTTPS. We consider implementing App Transport Security (ATS) a secure mobile development best practice. Apple will allow for exceptions with justification. In MoPub’s (a hosted mobile ad-serving provider owned by Twitter) interpretation of Apple ATS documentation, an acceptable justification for exception is “loading web content from a variety of sources (for ads).”

“New data analyzing SEC disclosures found 83% of publicly traded companies worry most about the risk of brand damage via hacks exposing customer or employee information. Public businesses fear the possibility of losing customer or employee’s personally identifiable information (PII) and the subsequent brand-damage fallout more so than other risks.”

Mobile devices and apps collect massive amounts of personally identifiable information (PII) and metadata that reveal an incredible level of detail about customers’ and employees’ personal and work lives. And we know for a fact that mobile apps are a point of leakage — see for yourself in the 2016 NowSecure Global Security Report. The data trickling out of apps contributes to the risk of a data breach or security incident. Enterprises looking to reduce brand and regulatory risk and avoid financial loss and recovery costs need to train their developers on secure mobile development best practices, perform security assessments on the apps they develop for customer and internal use, and get visibility into the risk profiles of the apps used by their workforce.

“Researchers in Austria have unearthed a pair of backdoor accounts in more than 80 different IP camera models made by Sony Corp. Separately, Israeli security experts have discovered trivially exploitable weaknesses in nearly a half-million white-labeled IP camera models that are not currently sought out by Mirai.”

“The kinds of second-factor security keys for which the FIDO Alliance advocates are valuable tools for securing user devices, suggests a new report from Google.”

The study compared the ease-of-use, security, and support costs of hardware tokens, phone-based one-time password (OTP) generators, and two-step verification over SMS for the purposes of a second-factor in authentication. The researchers concluded that “Security Keys provide the strongest security with the best mix of usability and deployability.”